Living-off-the-COM-Type-Coercion-Abuse: achieve stealthy command execution by abusing implicit type coercion
COM Type Coercion Execution in PowerShell
This technique leverages PowerShell’s .NET interop layer and COM automation to achieve stealthy command execution by abusing implicit type coercion. A custom .NET object is defined in PowerShell with an overridden .ToString() method. When this object is passed to a COM method such as Shell.Application.ShellExecute, PowerShell implicitly calls .ToString(), converting the object to a string at runtime.
The technique exploits the automatic conversion of objects to strings via the .ToString() method when interacting with COM methods. This creates an execution path that may bypass traditional security monitoring tools focused on direct PowerShell command execution.
Key Components
- Custom Class Definition: Creating a class that overrides the standard
.ToString()method to return a command string rather than typical object information. - PowerShell Type Coercion: Leveraging PowerShell’s automatic type conversion system.
- COM Object Execution: Using the
ShellExecutemethod of theShell.ApplicationCOM object.
